Cross-site scripting is the most dangerous and likely way of hacking the application, no matter which programming language is it written in. With an introduction of cfparam, coldfusion became much more secure tool for applications dealing with storing and accessing a sensitive data.

The most common form of XSS is to put some Javascript in user's submitted content to steal the data in user's cookie.

The only way to prevent XSS attacks is to restrict and filter user's input.

Below is a script illustrating how to prevent some of the possibilities that may happen:

function generate_correct_input($string, $string_lenght = null) {

//remove dead spaces
$string = trim($string);

$string = utf8_decode($string);

$string = htmlentutues($string, ENT_NOQUOTES);

//now, create as many lines as you wish, to block some of html characters
$string = str_replace("#", "#", $string);
$string = str_replace("%", "%", $string);
$string = str_replace("<", "<", $string);
$string = str_replace(">", ">", $string);

$string_lenght = intval($string_lenght);

if ($string_lenght > 0) {
$string = substr($string, 0, $string_lenght);

return $string;

Above script is ready to use, with no additional modifications, for very beginners below is an example illustrating how to implement above script in your application:

$sent_variable_username = generate_correct_input($_POST['username']);

$sql = 'INSERT into XXX(username) VALUES '$sent_variable_username';

Tagged: configuration  php  web programming  script  php script  security